Changelog: Scale Without Limits

TL;DR

July’s release tackles enterprise reality. We focused on breaking scaling barriers. We introduced Products for managing multi-project software at enterprise scale, streamlined policy development with new CLI commands, automated repository security checks with branch protection policies, and opened the CLI to custom extensions via plugins.

Products: Managing Multiple Projects as One

Your software products rarely live in a single repository or get built by one team. They span multiple codebases, involve different teams, and have complex dependencies. Projects can even belong to multiple products simultaneously, reflecting the reality of shared components and services.

Our new Products feature addresses this complexity by letting you group related projects under product umbrellas. Instead of tracking compliance for dozens of individual projects, you get unified visibility across everything that ships together, while still allowing projects to participate in multiple products as needed.

The Problem You Face Today

In Chainloop today, data collection and policy evaluations happen at the workflow level. Each workflow represents one data source, often mapped to a single CI step like a SAST scan. Projects aggregate this data under a project version.

This breaks down when your actual software products consist of multiple projects. You can’t easily manage compliance expectations, track product versioning, control user access, or configure alerts at the product level.

How It Works

Products serve as a central entry point above projects. You can now:

Product-scoped access control: Grant teams access to their specific products while maintaining oversight across your portfolio.

Enhanced product-level reporting: See compliance data aggregated across all components that make up your product.

Product release management: Track which project versions are included in each product release and understand dependencies.

Compliance framework configuration: Set compliance requirements at the product level with reports that show which projects they apply to.

The practical benefit is immediate. Instead of asking “Is project X compliant?” you can ask “Is our product ready to ship?” and get a complete answer.

Products are now generally available. We’d love to hear your feedback as you start using this feature.

This builds on our previous work with enterprise features and RBAC Advanced, providing the organizational structure needed for managing software at scale.

Policy Development Tools

Security teams shouldn’t need months learning Rego to write policies. Our new CLI tools make policy development accessible to anyone who understands security requirements, without needing to become a Rego expert:

Initialize and scaffold: Use chainloop policy develop init to create new policies with proper template structure.

Lint and validate: chainloop policy develop lint validates YAML schema and Rego syntax, with optional formatting using Open Policy Agent (OPA) and Regal best practices.

Test with sample materials: chainloop policy develop eval lets you test policies against real SBOMs, attestations, or other artifacts locally before deployment.

Continuous testing: The tools support iterative development where you can run policy tests continuously, ensuring your policies work correctly as you develop them.

This development workflow—init, lint, eval, iterate—helps catch issues early and ensures policies behave correctly before they reach production. From idea to production policy in hours, not weeks. You can find complete examples and guides in our policy development documentation.

Coming soon: We’re exploring AI-powered policy creation using natural language. Describe your requirements in plain English, get production-ready policies. Interested? Contact us to join the early access program.

Branch Protection Policies

Stop failing audits for misconfigured repos. New branch protection policies (GitHub initially) automatically evaluate your repository configuration against NIST SSDF practices and SLSA 1.2 Source Track requirements:

Branch Protection Policies: Verify that your main branches have appropriate protection rules, required status checks, and push restrictions.

Commit Protection Policies: Ensure commits meet signing requirements and pass necessary status checks before being accepted.

Pull Request Protection Policies: Validate that code review requirements, dismissal rules, and merge policies align with security best practices.

Rather than a single pass/fail check, you get specific feedback on which protection mechanisms are in place and which need attention, allowing flexibility while maintaining security standards.

These policies work with runner context data that can be automatically gathered from your CI/CD environment, checking your repository security settings without manual input.

CRA Compliance Solution Brief

CRA deadline approaching? All the features described above work together to address regulatory requirements like the EU Cyber Resilience Act. Our CRA Compliance Solution Brief outlines a practical 3-phase approach to automate evidence collection and policy evaluations without disrupting development velocity.

CLI Plugin Architecture

Every enterprise has unique workflows. Instead of forcing you into ours, the new CLI plugin system lets you extend Chainloop CLI to match your processes:

The new CLI plugin architecture provides process isolation, security, and dynamic command loading. Plugins are discovered automatically from ~/.config/chainloop/plugins/ and integrate seamlessly with the main Chainloop CLI.

First plugin available: Runner Context (Experimental) - Gathers details about your CI/CD environment configuration, including branch protection settings, pull request configurations, and commit protection details.

The CLI includes management commands for listing available plugins and retrieving detailed information about their capabilities. Future releases will support downloading and installing plugins from configurable sources.

You can find more details about the extensibility approach in GitHub issue #2090.

Early Adoption of SLSA 1.2rc

We’ve begun implementing support for SLSA 1.2 Release Candidate. This upcoming version introduces the new Source Track, which defines source management requirements and represents a major milestone in SLSA development.

By adopting early, we ensure Chainloop customers are ready when SLSA 1.2 becomes the official standard.

Looking Ahead

July’s release delivers on our promise: Scale Without Limits.

Whether you’re managing 10 projects or 1000, Products give you unified compliance visibility. Policy tools turn days of Rego learning into hours of productive work. Branch protection catches security gaps before auditors do. Plugins ensure Chainloop works your way.

This is enterprise-grade compliance that scales with you, not against you.

Want to see these features in action?

• Request demo: chainloop.dev/book-a-demo
• Documentation: docs.chainloop.dev
• Open source: github.com/chainloop-dev/chainloop

Stay updated: Follow us on LinkedIn